Closed Bug 631946 Opened 13 years ago Closed 13 years ago

SVG DOM lists should limit the number of items to the number they can index

Categories

(Core :: SVG, defect)

Product:
Core
Component:
SVG
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: jwatt, Assigned: jwatt)

Details

(Whiteboard: [patch from bug 631939 must come first])

Attachments

(1 file, 2 obsolete files)

patch for checkin
21.05 KB, patch
Details | Diff | Splinter Review 
Followup from bug 631939. SVG DOM lists should limit the number of items to the number of items that they can index.
Attached patch patch (obsolete) — Splinter Review 
Assignee: nobody → jwatt
Status: NEW → ASSIGNED

        Attachment #510193 -
        Flags: review?(roc)

        Attachment #510193 -
        Flags: approval2.0?

        Attachment #510193 -
        Flags: review?(roc)

        Attachment #510193 -
        Flags: review+

        Attachment #510193 -
        Flags: approval2.0?

        Attachment #510193 -
        Flags: approval2.0+

    
    

    
  

      
      
      
      

        Attached patch
          
          
        patch for checkin (obsolete)
        — Splinter Review
      

    


  

        Attachment #510193 -
        Attachment is obsolete: true

    
    

    
  
This patch depends on the patch in bug 631939 (also ready to push), so land import that one first.
Whiteboard: [patch from bug 631939 must come first]

    
    

    
  
Comment on attachment 510194 [details] [diff] [review]
patch for checkin

>@@ -170,16 +170,21 @@ DOMSVGPathSegList::InternalListWillChang
>     // Only now may we truncate mItems
>     mItems.SetLength(newLength);
> 
>   } else if (dataIndex < dataLength) {
>     // aNewValue has more items than our previous internal counterpart
> 
>     // Sync mItems:
>     while (dataIndex < dataLength) {
>+      if (mItems.Length() - 1 > DOMSVGPathSeg::MaxListIndex()) {
>+        // It's safe to get out of sync with our internal list as long as we
>+        // have FEWER items than it does.
>+        return;
>+      }

This caused the orange on the try push, because mItems.Length() returns a unsigned value, and so subtracting 1 causes us to return here, which gets us out of sync.

    
    

    
  


  

        Attachment #510194 -
        Attachment is obsolete: true
Version: unspecified → Trunk

    
    

    
  
Comment 7 passed try-server (after some RelEng woes were resolved in bug 632211).
  --> Adding checkin-needed flag, at jwatt's request.
(For anyone checking this in, note whiteboard contents: patch from bug 631939 must come first.)
Keywords: checkin-needed

    
    

    
  
http://hg.mozilla.org/mozilla-central/rev/5268e56c2b26
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Keywords: checkin-needed
Resolution: --- → FIXED

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: